From 566f8e734d1b5416305b7ab04c6eda48f40e576b Mon Sep 17 00:00:00 2001
From: Vishakha Agarwal <agarwalvishakha18@gmail.com>
Date: Thu, 5 Sep 2019 15:09:40 +0530
Subject: [PATCH] Remove system Domain Config from policy.v3cloudsample.json

By relying on system-scope and default roles, these policies are now
obsolete.

Change-Id: I21473f757611cfd3299d0227eddef89d4ef624ff
Partial-Bug: #1806762
Closes-Bug: #1805366
---
 etc/policy.v3cloudsample.json                 |  8 +---
 keystone/tests/unit/test_policy.py            |  5 +++
 .../notes/bug-1805366-670867516c6fc4bc.yaml   | 41 +++++++++++++++++++
 3 files changed, 47 insertions(+), 7 deletions(-)
 create mode 100644 releasenotes/notes/bug-1805366-670867516c6fc4bc.yaml

diff --git a/etc/policy.v3cloudsample.json b/etc/policy.v3cloudsample.json
index 8487a34a47..0822aedd41 100644
--- a/etc/policy.v3cloudsample.json
+++ b/etc/policy.v3cloudsample.json
@@ -51,11 +51,5 @@
     "identity:check_token": "rule:admin_or_owner",
     "identity:validate_token": "rule:service_admin_or_owner",
     "identity:validate_token_head": "rule:service_or_admin",
-    "identity:revoke_token": "rule:admin_or_owner",
-
-    "identity:create_domain_config": "rule:cloud_admin",
-    "identity:get_domain_config": "rule:cloud_admin",
-    "identity:update_domain_config": "rule:cloud_admin",
-    "identity:delete_domain_config": "rule:cloud_admin",
-    "identity:get_domain_config_default": "rule:cloud_admin"
+    "identity:revoke_token": "rule:admin_or_owner"
 }
diff --git a/keystone/tests/unit/test_policy.py b/keystone/tests/unit/test_policy.py
index 67df10ecf3..48cdbfc3e3 100644
--- a/keystone/tests/unit/test_policy.py
+++ b/keystone/tests/unit/test_policy.py
@@ -197,6 +197,7 @@ class PolicyJsonTestCase(unit.TestCase):
             'identity:create_consumer',
             'identity:create_credential',
             'identity:create_domain',
+            'identity:create_domain_config',
             'identity:create_domain_role',
             'identity:create_endpoint',
             'identity:create_endpoint_group',
@@ -226,6 +227,7 @@ class PolicyJsonTestCase(unit.TestCase):
             'identity:delete_consumer',
             'identity:delete_credential',
             'identity:delete_domain',
+            'identity:delete_domain_config',
             'identity:delete_domain_role',
             'identity:delete_endpoint',
             'identity:delete_endpoint_group',
@@ -261,6 +263,8 @@ class PolicyJsonTestCase(unit.TestCase):
             'identity:get_consumer',
             'identity:get_credential',
             'identity:get_domain',
+            'identity:get_domain_config',
+            'identity:get_domain_config_default',
             'identity:get_domain_role',
             'identity:get_endpoint',
             'identity:get_endpoint_group',
@@ -336,6 +340,7 @@ class PolicyJsonTestCase(unit.TestCase):
             'identity:update_consumer',
             'identity:update_credential',
             'identity:update_domain',
+            'identity:update_domain_config',
             'identity:update_domain_role',
             'identity:update_endpoint',
             'identity:update_endpoint_group',
diff --git a/releasenotes/notes/bug-1805366-670867516c6fc4bc.yaml b/releasenotes/notes/bug-1805366-670867516c6fc4bc.yaml
new file mode 100644
index 0000000000..274b87138f
--- /dev/null
+++ b/releasenotes/notes/bug-1805366-670867516c6fc4bc.yaml
@@ -0,0 +1,41 @@
+---
+features:
+  - |
+    [`bug 1805366 <https://bugs.launchpad.net/keystone/+bug/1805366>`_]
+    The Domain Config API now supports the ``admin``, ``member``, and ``reader``
+    default roles.
+
+upgrade:
+  - |
+    [`bug 1805366 <https://bugs.launchpad.net/keystone/+bug/1805366>`_]
+    The Domain Config API uses new default policies to make it more
+    accessible to end users and administrators in a secure way. Please
+    consider these new defaults if your deployment overrides Domain Config
+    policies.
+deprecations:
+  - |
+    [`bug 1805366 <https://bugs.launchpad.net/keystone/+bug/1805366>`_]
+    The Domain Config API policies have been deprecated. The
+    ``identity:get_domain_config`` policy now uses
+    ``role:reader and system_scope:all`` instead of
+    ``rule:admin_required``.
+    The ``identity:get_domain_config_default`` policy
+    now use ``role:reader and system_scope:all`` instead of
+    ``rule:admin_required``.The ``identity:create_domain_config`` policy
+    now use ``role:admin and system_scope:all`` instead of
+    ``rule:admin_required``. The ``identity:update_domain_config`` policy
+    now use ``role:admin and system_scope:all`` instead of
+    ``rule:admin_required``.
+    The ``identity:delete_domain_config`` policy
+    now uses ``role:admin and system_scope:all`` instead of
+    ``rule:admin_required``.
+
+    These new defaults automatically account for system-scope and support
+    a read-only role, making it easier for system administrators to delegate
+    subsets of responsibility without compromising security. Please consider
+    these new defaults if your deployment overrides the domain config policies.
+security:
+  - |
+    [`bug 1805366 <https://bugs.launchpad.net/keystone/+bug/1805366>`_]
+    The domain config API now uses system-scope and default roles to
+    provide better accessibility to users in a secure manner.